Learning AWS - IAM (Identity Access Management)

AWS
Learning AWS - IAM (Identity Access Management)

Introduction

IAM stands for Identity and Access Management. It is a global service in AWS where we create users and assign them to groups. The moment you create an AWS account, a root account is created by default. This root account should not be used or shared for daily operations. Instead, we create users within IAM using this root account. Each person gets a separate account, and users can be grouped for easier management.

Why Create Groups and Users?

When we want to allow others to use our AWS account, we need to give them specific permissions. This is where IAM Policies come into play. We can assign IAM Policies to both users and groups.

What is an IAM Policy?

An IAM Policy is a JSON object in a nearly human-readable format that defines permissions, dictating what a user or group can do. Here’s an example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FullAccess",
            "Effect": "Allow",
            "Action": ["s3:*"],
            "Resource": ["*"]
        },
        {
            "Sid": "DenyCustomerBucket",
            "Effect": "Deny",
            "Action": ["s3:*"],
            "Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*"]
        }
    ]
}

This policy grants full access to S3 services except for a specific bucket named "customer".

Example: Groups and Users

Imagine we have three groups and six users:

  • Group A: User 1, User 2, User 3
  • Group B: User 3, User 4
  • Group C: User 4, User 5, User 6

This means:

  • User 3 is a member of both Group A and Group B.
  • User 4 is a member of both Group B and Group C.

Here's a visualization:

       +-------+                                                     +-------+
       | User 1|                                                     | User 5|
       +-------+                                                     +-------+
           ^                                                             ^
           |                                                             |
       +-------+      +-------+      +-------+      +-------+        +-------+
       |Group A|<---->| User 3|<---->|Group B|<---->| User 4| <----> |Group C| 
       +-------+      +-------+      +-------+      +-------+        +-------+
           |                                                             |
           v                                                             v
       +-------+                                                     +-------+
       | User 2|                                                     | User 6|
       +-------+                                                     +-------+

IAM Policy Structure

IAM policies consist of several components:

  • Version: The policy language version, usually "2012-10-17".
  • ID: An optional identifier for the policy.
  • Statements: One or more statements, each containing:
    • Sid: An optional statement ID.
    • Effect: Whether the statement allows or denies access.
    • Principal: The accounts, users, or roles to which the policy applies.
    • Action: The list of API calls that are either denied or allowed.
    • Resource: The list of resources to which the actions apply.
    • Condition: Optional conditions for when the statement should be applied.

Multi-Factor Authentication (MFA)

Once users and groups are created, it's crucial to protect them from being compromised. AWS provides two defense mechanisms: password policies and Multi-Factor Authentication (MFA).

Password Policies

A strong password policy enhances account security. In AWS, you can set up a password policy with options such as:

  • Minimum password length
  • Specific character types (uppercase, lowercase, numbers, special characters)
  • Allowing or disallowing users to change their own passwords
  • Requiring periodic password changes (e.g., every 90 days)
  • Preventing password reuse

Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring a password and a security device. Even if a password is compromised, the account remains secure as the hacker would also need the physical device.

Types of MFA Devices in AWS

  • Virtual MFA Device: Use Google Authenticator or Authy on a phone.
  • Universal 2nd Factor (U2F) Security Key: Physical devices like YubiKey.
  • Hardware Key Fob MFA Device: Provided by third parties like Gemalto.
  • GovCloud Key Fob: Special key fob for AWS GovCloud provided by SurePassID.

IAM Roles

IAM Roles are used to assign permissions to AWS services, similar to users but intended for AWS services instead of people. For example, an EC2 instance may need permissions to perform actions on AWS. We create an IAM Role and assign it to the EC2 instance. Common roles include EC2 Instance roles, Lambda Function Roles, and CloudFormation Roles.

Example: IAM Role for EC2

An EC2 instance, which is like a virtual server, may need to perform actions on AWS. We create an IAM Role and attach it to the EC2 instance. The EC2 instance uses the IAM Role to access AWS resources based on the permissions assigned to the role.

IAM Security Tools

AWS provides security tools such as the IAM Credentials Report and IAM Access Advisor to help manage IAM effectively.

IAM Credentials Report

The IAM Credentials Report is generated at the account level and contains details of all users and the status of their various credentials.

IAM Access Advisor

IAM Access Advisor is available at the user level and shows the service permissions granted to a user and the last time those services were accessed. This helps in adhering to the principle of least privilege by identifying unused permissions.

By understanding and using these IAM features, you can manage access and permissions in your AWS environment effectively.

Stay tuned for more about AWS.

  • #AWS
  • #Amazon_Web_Services
  • #Solution
  • #IAM
  • #Engineering